How can I replace the XP MBR on a Dell with the XP "Downgrade"?

When Vista came out, Dell offered a "downgrade option" in which they would install XP Pro instead of Vista Pro.  They continued that option into Windows 7.  This downgrade is CLEARLY not simply an XP installation instead of Vista/W7 -

It seems as if the MBR is still Vista/W7 because when you hit F8 to enter safe mode you first get a screen asking which OS to load (XP is the only choice), then you get the XP startup menu like normal.

Additionally, when using programs such as Hitman Pro to repair MBR infections, it does NOT find the infection.  

I seem to recall early on that I used an XP CD to boot, and either replaced the MBR with it, rendering the machine unable to start at all, or the usual process failed - All I can remember for certain is that I had to re-format the hard drive and install WXP fresh after the failed attempt to replace the MBR.

So is it possible there is a VISTA/W7 MBR that loads another hidden MBR to get XP running?  If so, how do I get to the XP MBR to replace it?

I cannot start in safe mode - I get a blue screen when trying.  This is only happening on this FBI ransomware computer and is not a problem on other computers with the XP "downgrade".
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary CaseRetiredCommented:
Check to see if you simply need to remove a blank choice in BOOT.INI

Easiest way to edit it is right-click on My Computer; select Properties; click on the Advanced tab; click on Settings in the Startup and Recovery section; then click on Edit.

Be sure there's only one line under "operating systems" -- and NOT a blank line.
David Johnson, CD, MVPOwnerCommented:
from a vista or later boot disk command prompt
bootsect /nt52 /all /force /mbr

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
>> I cannot start in safe mode - I get a blue screen when trying.

I am assuming that it is occuring while you choose under XP in safe mode, if yes, try run a system repair with the XP CD, it might help sometime
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

kenlottermanAuthor Commented:
Just to let you know,  I suddenly got *crazy* busy and have not had a chance to respond to your comments.  I will as soon as possible, though.  Thank you.
Gary CaseRetiredCommented:
"... This downgrade is CLEARLY not simply an XP installation instead of Vista/W7 " ==>  Actually that's exactly what it is.     They may not have updated the MBR, but there are certainly NO remnants of Vista/W7 on the system, as only XP was ever imaged to the disk.    The OS choice is likely because of a blank line in the BOOT.INI file ... if you remove that, you wont' get that extra prompt [but you probably can't do that now due to the "ransomware" issue]

".. I cannot start in safe mode - I get a blue screen when trying.  This is only happening on this FBI ransomware computer ..."  ==>  It sounds like the actual problem here is the PC has the "FBI Ransomware" issue and you need help removing that.   Is that correct?
David Johnson, CD, MVPOwnerCommented:
garycase: I think you nailed it..

Here is a list of files that have to be removed:
 C:\Documents and Settings\\Start Menu\Programs\Startup\ ctfmon.lnk
C:\Documents and Settings\\Start Menu\Programs\Startup\.lnk
C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ctfmon.lnk
C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk
C:\Documents and Settings\\Local Settings\Temp\.exe
C:\Program Data\lsass.exe
C:\Program Data\.exe

In order to remove this ransomware you have use safemode with networking and login with an infected account:

Paste this into a browser: and it must be the MoneyPak/Ukash/PaySafeCard variant.  You might want to use another machine and download the file onto a write-protected usb stick (or a cdrom)

Malware is getting pretty advanced these days.. have you considered a reformat and reinstall from a backup?
kenlottermanAuthor Commented:
garycase - I mentioned the FBI ransomware simply as an example, and not in an effort to remove the FBI ransomware.  It's a good example because in that particular case, according to HitMan Pro, the MBR had been infected, and I could only get to what I perceive as a non-XP MBR.  

Another example: I have a linux CD that can be used to change or blank Windows account passwords, for example, but it is totally useless on computers that have the XP downgrade because it cannot find an operating system.  My perception is that the program only looks at the "first" MBR.  My perception is that the Vista MBR "launches" the XP MBR.

There have actually been a few other instances in which what I perceive to be a dual MBR of sorts has been an issue, and I was hoping for an explanation of how to replace the XP MBR.

Does that make sense?

By the way, Dell tech support has been NO help whatsoever.
kenlottermanAuthor Commented:
I just re-read ve3ofa's comment and it brough back vague recollections of trying to reinstall WXP on one of these downgraded computers and the install process choked on finding the partition.  please note my memory isn't that great, but I think I had to put the hard drive into another computer and delete all the partitions in order to proceed.  I think.  But i also feel like I had to throw the hard drive away because I couldn't get XP's install to recognize partitions at all.  But that memory may have been of a different completely unrelated issue...
Gary CaseRetiredCommented:
Okay, I'm a bit confused.    You said "...  This is only happening on this FBI ransomware computer ..."  ==> so does this system have the Ransomware issue or not?    Has it HAD that issue and the current state is after it was removed?   etc.

There aren't "XP MBR"s, "Vista MBR"s, etc.    The MBR is a well-defined structure that is written when a disk is initialized.    Even a GPT disk writes a "protective" MBR so it "looks" like an MBR disk to OS's that aren't GPT-aware.

The list of OS's you mentioned is almost certainly due to a blank line in the BOOT.INI file;  but if you can't boot the system you can't edit that until you resolve that.

If you boot an XP CD and go to the Recovery Console, you can run the FIXMBR command to rewrite the MBR.    Depending on just what the issue is, this MAY get you to the point where you can then boot to XP (at least to Safe Mode) and work on resolution of your problem.
David Johnson, CD, MVPOwnerCommented:
Downgrading from a windows 6 or newer operating system to a <6.0 O/S the mbr may not be rewritten to the nt52 specs and your system will still happily boot using the bcd store which then loads the ntldr / boot.ini / ... sequence

(a non existing boot.ini is in fact useable. as ntldr will look for c:\winnt and c:\windows on the first hard drive and active primary partition) will show you many of the different formats of a MBR

MBR attacks used to be the norm.. I've seen many 'Stoned' PC's
kenlottermanAuthor Commented:
garycase I can see where that was confusing.  I *try* to write in as least confusing terms as possible, but now an again, something gets past me the editor.  The "only happening" refers to the issue mentioned in the note, which is the blue screen.  It's been so long now since I originally posted this issue that I have forgotten the relevance :)

I will dig out my wikipedia set and check those articles, ve3ofa.  thank you for that.

"BCD" is a new term to me, and may hold the key to this issue.  I was convinced that MBR was at the heart of it.
kenlottermanAuthor Commented:
By the time I 'got around to" closing this issue, it was no longer an issue.  I disributed points to all contributors who addressed the issue, which was no removing the virus.  thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.